Article

Succeeding with Azure Sentinel workbooks

by Jeff Christman
Senior Consultant, Cloud Security

I recently completed a project for a client to implement Microsoft Sentinel. If you are not familiar with Sentinel, it is cloud native SEIM/SOAR (Security Event & Incident Management / Security Orchestration Automation Response) tool that provides attack detection, threat visibility, proactive hunting, and threat response.

Sentinel utilizes workbooks to automate data collection and correlation. Sentinal workbooks are a nice tool that automates a lot of information gathering and analysis. At a high level, workbooks host queries on specific data within your Azure tenant. For example, I have workbooks showing Dynamics 365 logins, log outs, and what users are accessing. I have another that looks specifically at App Gateway traffic for details like how busy the system is, measured by the number of concurrent connections. Workbooks can query very specific data points among your resources.  

This particular client needed to demonstrate some ISO compliance. They were going through an ISO audit, and I created a workbook to look for compliance items as specified in the ISO audit. At the end of the audit, you could click a button and show their internal ISO compliance team a report. They were very happy with it.

Workbooks are helpful, but it is important to keep in mind that a lot of development work may be needed on the backend to get the workbook running right. Sentinel doesn’t actually get the reporting information itself. Sentinel is a dashboard, presenting information in an organized format.

Taking ISO compliance as an example, there are several ISO standards, and there are different workbooks for different ISO standards. For a similar reporting scenario, you could download the workbook you need and run it. When it runs, it will show where you are compliant or not compliant. If you did not have a Sentinel workbook you would have to go all over the tenant looking for compliance rules, whereas it centralizes the information for a nice report.

Many of the workbooks are created through the Sentinel community. The ISO-related workbook came from the ISO community. Fortunately, many already exist off the shelf. Just download it and make a few changes to modify it for your environment. One of the best ways to find workbooks is through GitHub. There is a repo of these workbooks that the Azure Sentinel community has started.

FREE Membership Required to View Full Content:

Joining MSDynamicsWorld.com gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more. You can also receive periodic email newsletters with the latest relevant articles and content updates.
Learn more about us here

Get full access
Azure Compute Integration Security
About Jeff Christman

Jeff Christman is a distinguished Navy Veteran boasting more than two decades of expertise in the Information Technology sector. He possesses a specialized focus on cloud migration projects, having contributed his skills to prestigious organizations including Raytheon, AT&T, and NASA. Presently, he holds the position of Senior Cloud Security Consultant at a prominent consulting firm. Beyond his professional endeavors, Jeff is an accomplished author and educator, developing and publishing content and courses for renowned platforms such as Pluralsight.com, Techsnips.io, and Adamtheautomator.com.

Outside of his professional pursuits, Jeff enjoys engaging in fantasy football, exploring advancements in technology, and playfully teasing his teenage daughters.

More about Jeff Christman